- 4chan hell raisers finding fame brings heat?
- The 10 dumbest mistakes network managers make
- NetApp quits bidding war in face of EMC opposition
- CompuServe closes after 30 years
- Google to launch open-source Chrome OS this year
The question of whether security appliances should be deployed in-line or out of band depends on the answer to other key questions. Is authenticating users enough, or does IT need to control where users go on the network? For example, does IT need to limit what guests and contractors can do? Does IT need to guard against malware?
If any of these answers is yes, then the architecture becomes clear: Security appliances provide far greater control when deployed in-line rather than out of band. An old security adage says you can't control what you can't see. Only in-line devices can see the traffic.
LAN security starts with controlling who can come onto the LAN and checking whether users' machines are safe. These authentication and posture-check components constitute network-access control (NAC). For this step, in-line and out-of-band approaches offer similar capabilities. But in-line and out-of-band devices immediately diverge in their ability to provide postadmission controls. Controlling user activity and protecting against attack are critical, and this depends on in-line deployment.
First, IT needs visibility. IT managers cannot control what Joe in sales can do if they don't know what applications he's running or what servers he's accessing. Similarly, threat detection depends on seeing all traffic so that anomalous patterns stand out. Only in-line security devices can provide this visibility.
Next, control requires enforcement, which requires in-line deployment. IT managers may want to enforce that guests get Internet-only access, contractors can reach only certain servers, but employees can go anywhere on the LAN. They may want to ensure that critical assets get extra protection — for example, only finance users can see and reach the finance server. Having this kind of identity-based control directly within the LAN enables IT to keep up with staff changes dynamically. In-line security appliances can learn a user's role during authentication and automatically apply changes as soon as they're in Active Directory or another identity store.
Limited postadmission control is possible with out-of-band appliances -- they use virtual LANs (VLAN) to separate users. But IT managers must redesign the LAN, changing VLANs and access-control lists to provide identity-based vs. geographical separation. And users can't be in more than one VLAN, so VLANs can't handle the CIO's need for both IT and executive resources.
The Leader in Network Knowledge
Comments (5)
NAC Appliances vs. FirewallsBy Anonymous on February 4, 2007, 11:24 amExcellent discussion points from both of them. However, Mr. Prince's comment that the devices should be in-line just as firewalls are is a little off the mark....
Reply | Read entire comment
It's All About The ServiceBy Anonymous on January 30, 2007, 11:00 pmIt doesn't matter if it's in-line or out-of-band. When I select any vendor I challenge their dedication to solving my problems. I don't care about who has the...
Reply | Read entire comment
In-line vs. OOB isn't aboutBy Anonymous on January 29, 2007, 4:30 pmIn-line vs. OOB isn't about in-line products being immature. This is about being able to actually deploy a solution without business disruptions. Regardless of...
Reply | Read entire comment
inline vs out of bandBy Anonymous on January 29, 2007, 1:50 pmIf inline methods could provide the same availability and performance as network switches today, there would be no reason to do this out-of-band. The only reason...
Reply | Read entire comment
Face-off: NACBy Inbox on January 28, 2007, 5:51 pmWhat do you think about the best way to do NAC? Read Jeff Prince on in-line solutions and Grant Hartine on out-of-band answers and jump in with your thoughts.
Reply | Read entire comment
View all comments